Traffic Shaping Linux (restrict Bandwidth)

Wednesday, 14th May 2008 at 02:41 (administration, linux)
Tags: , , , ,

Allthough I haven’t found some shiny GUI somewhat like Netlimiter there is Wonder shaper (and shaper and trickle and squid for http and …) where a single command line sets your over-all bandwidth for network interface X. And, isn’t that all you really need?:


sudo wondershaper ethX downlink(kbit/s) uplink(kbit/s)

This is, from the perspective of the host doing the shaping. For example to set download to 10000kb (750*8 = 6000 DSL but don’t limit intranet connections on 1Mb Ethernet) but limit upload to, say, 35kB (~280kb) — e.g. if you have a server running on the same connection you do your daily internetting, you do:


sudo wondershaper eth0 10000 280

Ressources

2 Comments

Howto Extract all Files from Microsoft Installer Files (msi) rather than to Install the Package

Saturday, 10th May 2008 at 12:15 (administration, windows)
Tags: , , , ,

All you need is the Windows Installer itself. Hit Win+R (command line dialog) and execute the following line (change file name and target folder, of course):


msiexec /a c:\tmp\MSIFileName.msi /qb TARGETDIR="c:\tmp\msitmp\"

You’ll find all files in your target folder.

Comments

How to Move VirtualBox’s Guest Hard Drives to Another (Physical) Location

Saturday, 26th Apr 2008 at 15:22 (administration, linux)
Tags: , , , ,

If you ever wanted to move your (very large) file that contains a Virtualbox’s guest hard drive (file extension is .vdi) to another location and did so just like that Virtualbox wouldn’t find it the next time you wanted to boot into your guest system. The only thing Virtualbox needs to be pointed to is the new location of that file.

The standart location of VDI files is (for Linux) ~/.VirtualBox/VDI/ (see global settings, where you could also change this if that’s all you want). Remember the old file name and close Virtualbox, just in case it would overwrite settings when closed after the following changes. Now let’s move one file to, say, /media/USBDrive/virtualbox/. Now do:

  1. Use your favorite editor to open ~/.VirtualBox/Virtualbox.xml
  2. Find the line that says something like: 
    
<VirtualDiskImage filePath="VDI/old file name.vdi"/>
  3. Change it to point to your new location. So it should read something like: 
    
<VirtualDiskImage filePath="/media/USBDrive/new file name.vdi"/>
  4. Done.

1 Comments

How to Build a Windows XP SP3 Integrated Installation CD

Wednesday, 23rd Apr 2008 at 13:25 (administration)
Tags: , , , ,

You need:

  1. Old/original Windows XP installation CD (any of SP0 to SP2 will do even though only those from SP2 are supported officially). Make sure to use build 5512 or above.
  2. Microsoft Windows SP3
  3. unzipper like WinRar, unrar for  Linux / Ubuntu or the like
  4. ISO creator / CD burn program like mkisofs, InfraRecorder, UltraISO, Basero (or others) or even old school
  5. Boot image exctracted using BBIE or use this (also see Box.net box below)
  6. ~ 1 GB free tmp space on disk

You do:

  1. Extract / copy old Windows CD’s content (including hidden files!) to one folder (e.g. c:\XPCD)
  2. extract SP3’s content to another folder (e.g. c:\XPSP3) using e.g. unrar, winrar or hit Win+R and type 
    
c:\XPSP3\windowsxp-kb936929-sp3-x86-enu.exe –x

    and select target folder, here c:\XPSP3

  3. To slipstream the old CD do Win+R and copy+paste or type 
    
c:\XPSP3\i386\update\update.exe /integrate:c:\XPCD
  4. Create bootable CD image or CD using the boot image and your updated folder c:\XPCD. I recommend using mkisofs (Windows or Linux executable) using 
    
mkisofs \
    -b cdboot/msboot.img -no-emul-boot -boot-load-seg 1984 -boot-load-size 4 \
    -iso-level 2 -J -l -D -N -joliet-long -relaxed-filenames \
    -V "WINSP" \
    -o ../winsp.iso .

    from within the root folder of the CD to be, i.e. c:\XPCD. Create a new folder there and drop your boot image, i.e. cdboot/msboot.img.

  5. Done.

You might want to try booting from the image using VirtualBox.

Resources:

3 Comments

Making Apache server use SSL only

Tuesday, 8th Apr 2008 at 14:02 (administration, linux, open source)
Tags: , , , , , ,

Here is a forum post on how to make all incoming connections to your apache web server redirect to https, i.e. take encripted connections via ssl by using apache’s rewrite module.

Comments

Opera, Flash and Ubuntu (Feisty Fawn, Gutsy Gibbon and Hardy Heron also)

Tuesday, 18th Mar 2008 at 18:28 (administration, linux, ubuntu)
Tags: , , , , , ,

Note 08/01/08: There have been issues after the original plugin has been updated. See Ubuntu Forum, Bug description (workaround or fixed deb for firefox only which is version 9.0.115!) or comments below for more. Components have been removed that also opera needs! Yet another example why closed source is bad… Hence you might want to give gnash a go, i.e. open source flash. The new Flash version is meant to work with opera version > 9.50 Beta, though (see bottom note). Anyway, here it goes for Flash version \leq 9.0.48.0:

Note 2008/04/19: Before you get all frustrated about Flash and Opera you might enjoy operas’ ads.

Here we go

To install Adobe Flash Player after you installed Opera in Ubuntu, I found the best way is to, once again, use the debian way:


sudo aptitude install flashplugin-nonfree

After the install routine is done you need to add the path to plugins options in opera. Alternatively you could link there. To find where the new binaries are located do:


dpkg -S flashplugin-nonfree
app-install-data: /usr/share/app-install/desktop/flashplugin-nonfree.desktop
flashplugin-nonfree: /usr/lib/flashplugin-nonfree
flashplugin-nonfree: /var/cache/flashplugin-nonfree
flashplugin-nonfree: /usr/share/lintian/overrides/flashplugin-nonfree
flashplugin-nonfree: /usr/share/doc/flashplugin-nonfree
flashplugin-nonfree: /usr/share/doc/flashplugin-nonfree/changelog.gz
flashplugin-nonfree: /usr/share/doc/flashplugin-nonfree/copyright

Update 2008/04/16: The correct “list flag” for dpkg would be -L instead of -S:


dpkg -L flashplugin-nonfree | grep -i 'lib'
/usr/lib
/usr/lib/xulrunner
/usr/lib/xulrunner/plugins
/usr/lib/mozilla
/usr/lib/mozilla/plugins
/usr/lib/iceape
/usr/lib/iceape/plugins
/usr/lib/iceweasel
/usr/lib/iceweasel/plugins
/usr/lib/firefox
/usr/lib/firefox/plugins
/usr/lib/midbrowser
/usr/lib/midbrowser/plugins
/usr/lib/xulrunner-addons
/usr/lib/xulrunner-addons/plugins
/usr/lib/flashplugin-nonfree
/var/lib
/var/lib/flashplugin-nonfree

/Update

Alternatively you could link the lib’s binary to Opera’s plugin directory:


sudo ln /usr/lib/flashplugin-nonfree/libflashplayer.so /usr/lib/opera/plugins/

Some say you may need to restart opera in order for plugins to actually work. Fortunally, for me it work right away. In opera’s address field type opera:plugins to see what opera knows about flash.Update: See this blog on bleeding edge info on plugin’s development status if interested.

Ressources:

Update: This works for 7.04, a.k.a. Feisty Fawn, and 7.10, a.k.a. Gutsy Gibbon.

Update 2008/04/16: On a side note: There is the option reinstall for aptitude if one wants to make sure the newest files are all in the right places.

Update 2008/04/19:I stumbled upon the close to be release of Opera 9.5 which is currently in beta state (and has even more great features once again before Firefox has them ;) ). Supposingly the Debian package should get flash working. I tried the i386 version for Gutsy and it did work for me.

Update 2008/06/28: Here are some command line parameters you can start Opera with. Especially useful would be -debugplugin. To use it you have to open a terminal to see the additional information:


opera -debugplugin [Enter/Return Key]

32 Comments

Extracting a Bunch of .gz Files in One Go using Bash’s For Loop While Keeping Originals

Sunday, 6th Jan 2008 at 23:25 (administration, linux)
Tags: ,

While compressing a set of single files is fairly easy (one only needs to add ‘.gz’ or similar to the end of “file name strings”) the oposite is not so easy. Nevertheless it can be done doing:


for i in *.gz; do echo extracting $i ...; sudo su -c "gzip -dc $i > ${i:0:${#i}-3}"; done && ls *xpm

sudo su -c "" is for Ubuntu systems, ${#i}-3 sais “length of i minus 3″ which makes ${i:0:${#i}-3} to become each file name without trailing .gz.

Ressources

  • Bash by Example
  • man 8 bash section “Parameter Expansion” -> “Substring Expansion”

Comments

About the fuzz on rootkits and whether or not to detect one

Tuesday, 2nd Oct 2007 at 18:20 (administration, ideas, security)
Tags: , , , , , , ,

In the last couple of days I have been reading and hearing about Rootkits and the panic that comes with it. Mainly on German forums and sites, although also e.g. on Joanna Rutkowska’s blog (author of the “famous” Bluepill hijacker technique). And it kept me thinking. But first let me summerize what I understand the fuzz is all about.

A Rootkit is some sort of malware. Depending on whom you ask or enlist it is a piece of software running on someone’s computer — preferably with an Internet connection — without the user or even administrator knowing. I understand the definition itself so that this program does not have to be hiding itself in the memory and/or on the hard drive from detection software but it may (regardless of the, to my knowledge and despite Joanna’s work, unanswered question if potentially it can do so at all). Rootkits like any other malware have to be transferred to the target computer in some way or another and are — the hiding once like any other — detectable in this non-executed state (via digital signature for example). Ones primed, i.e. executed, the code becomes a process in the computer’s memory and tries to hide itself with various methods in memory and hard drives (potentially also MBR or even BIOS, but as far as I read/heard non have been reported so far).

Another factor of Rootkits is that they most often start with a small subset of code/features/routines and, ones residing in memory, recruit more and more features via the computer’s net link through a so-called back door. The back door part is why the differentiation from Trojan Horses is blurry. I’d say the Trojan Horse technique is only one of many features of such a Rootkit but that doesn’t make it a Trojan Horse since it’s not all it can do.

One other of the many possible features, and first shown by the before named Bluepill, is to become a hypervisor (think of it as a sandbox for OSs) like Xen (virtual machines like VMware, Qemu/VirtualBox work differently). The fancy bit about bluepill’s method is that, while active, the OS’ kernel is virtualized, i.e. becomes a guest OS from being host OS before; Microsoft Vista kernel here. It’s done by forcing to swap kernel parts to pagefile.sys which than are modified on disc — no Vista kernel protection — and loaded back to memory. Let me point out: On-the-fly, no reboot or BIOS or MBR modification necessary! That means that the malware runs below the OS or, rephrased the other way around, the real OS runs on top of the malware.

From Darkreading:

The new Blue Pill comes with support for so-called “nested” hypervisors (think Blue Pill within a Blue Pill), and uses an architecture similar to that of the open-source Xen 3 virtual machine technology. It comes with “on the fly” loading and unloading features, as well as more features for avoiding detection, such as hibernating and temporarily uninstalling the hypervisor when Blue Pill detects that a tool is about to detect it.

Let me add: This utilizes Pacifica specification of AMD’s newer processors which have virtualisation technology (VT) build-in. It just has been started on AMD processors but there are also implementations for Intel processors with similar techniques.

Having said all that I came to think of how could it still be possible to detect and what are the remarkable bits here. Let me also point out that I am by no means an expert on anti virus, Rootkits, hypervisors or any of that. I just know a some basic, though advanced, computer issues, how they basically work, about TCP/IP stuff and Linux OS basics. And I claim to have common sense :)

Ideas mentioned elsewhere to encounter the issue and comments on them:

Ok, now there is one point that is not technical at all: How do I detect something that can hide (let’s presume so) from a running system if I don’t see it and wouldn’t get alerted by any detection software? Imagine working on your computer and thinking: “Am I infected? Let’s check and boot to this detection LiveCD [see below]… checking… Good, not infected, so reboot to work system… keep on working… Oh, an now? Infected now?… LiveCD check… reboot to work, since still not infected… work a little… Hah, now is the time, I could now be infected… reboot….”.

The rumours are that it would be easy to detect the malware hiding on active systems when the system is dormant, i.e. not booted, e.g from some LiveCD. That’s one point I could believe to be true to some extant since I guess the malware has to have saved itself on system shut down to some place on the hard drive, BIOS (graphic card’s one, too), or some kind of non-volatile memory and, more importantly, cannot defend, i.e. hide, itself actively. But as with any malware detection by signature the signature of such “saved state hiding malware” has to be known which might be hard since it’s easy for malware to change it’s “saved state form” and thereby it’s signature. And also, is it handy and operably in real life to shut down, eg., servers “only” to detect potentially infected systems (again, assuming all the while it’s not possible to detect while the system is active)?

If it’s possible to only have one hypervisor (what I don’t know right now) then wouldn’t it be easy to just check if a hypervisor is present or can be enabled. If not because one is present already but not known about by the system -> suspicious. Matasano’s virtualized rootkit detector most likely is about even more than that (from Hacker Smackdown, June 28th, 2007):

Ptacek, Lawson, and Ferrie contend that virtualization-based malware is actually easier to detect than a normal (non-virtualized) rootkit because basically by definition it leaves a trail, introducing changes in the system’s CPU clock, for instance. And the malware would have to be bug-free to truly emulate a system, anyway, Ptacek argues. “The problem with virtualized rootkits is… They have to present the illusion they are talking to real hardware and that’s not an easy task,” he says. “In order to do that, you have to write a bug-free program whose job it is to emulate bugs. And we don’t know how to write bug-free programs.”

One very simply (that’s why I liked it!) detection method described in a German forum was to simultaneously do an outside port scan and ask the system “from inside” for open ports. Most likely the malware will show an open port to the outside (it wants to receive data here) but will hide this port to the system running the malware.

Ideas I haven’t read about so far or are not related directly but rather with malware in general but still fairly new:

  • As a basic approach (operating) systems have to be transparent (best I know of open source) for experts to know what’s going on inside and users to trust “their” system. This is no new argument I assume.
  • Digital signature (public/private keys) handling in kernel for processes similar to what I believe Vista does but holistically and, again, transparent. The idea is similar to that Debian (and other distributions since) have been using with their repositories and dpkg/apt system for years now but now within the computer itself. SecureApt as it’s called uses MD5 checksums (switch to SHA-1 when MD5 is broken) to uniquely and securely identify software packages retrieved from Internet repositories and to verify data (read byte stream) is unchanged on the way from the maintainer to the user’s computer. On top of that SecureApt uses OpenPGP (with GPG) private keys to sign repositories release summaries and public keys to verify the signature, i.e. deciding whether a repo is trusted or not. Why not taking this one step further to the kernel itself and have a module in the kernel implementing the idea of SecureApt but for processes (instances of programs from those repositories)? Though, I guess with quantum computers approaching this prevention method most likely will not hold long anyway.
  • Security systems (German) like AppArmor or even better SELinux should be used more widely to protect more systems better from so-called 0-day attacks and the like. And thereby limit distribution of malware. These two methods, of course, do nothing to increase detection on harmed systems. It only prevents from becoming infected.
  • Don’t by VT supported processors if you don’t need to. This, as with all security issues, will not work on a wide range since it’s more convenient to benefit from supposingly up to 95% performance enhancement for so-called paravirtualized guest systems (more precisely domUs). At least if you need to run unmodified OSs like MS Windows. If you can however modify the domUs, eg. Linux, you can have the same performance with eg. Xen. Let me point out that unlike virtualized guest operating system with paravirtualization the domU does know about it being virtualized and can, among others, access hardware directly.
  • Another idea on how to become suspicious of possible infections includes a second system with net link to computers at risk. I’d call it a watch server or pass-through server. Maybe it could just be your firewall of choice. The idea is to watch the traffic from an to computers in your network just like a firewall does but watch for and learn some sort of network traffic signatures or patterns. This way you get a (statistical) profile of typical traffic regarding individual systems independent of applications running, user behaviour or or the like. Just plain network traffic. This, of course, has to be done while one is certain of no infections in the network. If one can guaranty this it could be possible after this learning phase to detect suspicious traffic.

Maybe everything said here is not new at all to others. But one thing I reckon will be true: After all it will always be a game of cat-and-mouse, since the bad guys will try to detect methods like those mentioned here to hide themselves and the good guys will always try to be smarter. The most interesting part I find about self hiding malwares is that malware is turning the tables now (well, not entirely): With conservative viruses it was evolving new techniques unknown to the anti-virus guys. Now it’s (partly) malware becoming virus-detection-detectors.

And one other thing once again became clear to me: The need for researchers to “do bad things”, i.e. to develop, test, execute, issue and whatever else necessary malware of whatever kind to be able to come up with antidote! Unfortunately there are movements on the way in Germany (German, heise, 06.07.2007 14:23) and as I understand in other parts of the would, too, to prohibit this.

Happy hacking ;)

Update 2007/10/11:

In slashdot there has been a note on VM-Based Rootkits Proved Easily Detectable pointing out an article from researchers from Stanford, CMU, VMware, and XenSource “Compatibility Is Not Transparency: VMM Detection Myths and Realities” (pdf). Unfortunatelly, untill now I haven’t had the time to read it.

Resources:

Comments

How to find out what occupies space on your Linux hard drive

Sunday, 30th Sep 2007 at 20:42 (administration, linux, ubuntu)
Tags: , , , , ,

The other day I noticed that my settings directory (/etc) uses over 13 MB of my hard drive. So I wandered which package (I’m using a Debian based package managed system) makes the settings directory grow so large. After a couple of trails and errors I came up with the following sequence of commands:


$ du -h --max-depth=1 /etc 2> /dev/null | egrep '(^[5-9][0-9]{2}K)|M'
692K    /etc/X11
672K    /etc/acpi
712K    /etc/xdg
2.1M    /etc/brltty
500K    /etc/ssl
528K    /etc/mono
20K     /etc/NetworkManager
13M     /etc
$ dpkg -S '/etc/brltty'
brltty-x11, brltty: /etc/brltty
$ apt-cache show brltty | grep -A5 'Description'
Description: Access software for a blind person using a soft braille terminal
BRLTTY is a daemon which provides access to the Linux console (text mode)
for a blind person using a soft braille display.  It drives the braille
terminal and provides complete screen review functionality.
The following display models are supported:
* Alva (ABT3xx/Delphi)

Fortunatelly, I’m not blind so I could remove brltty with aptitude which then suggested to remove dependencies, too.

References:

  • Regex reference
  • Resources for advanced Ubuntu topics, eg. how to remove …-desktop meta packages with apt-get (instead of aptitude), secure networking setup, etc.

Comments

« Previous entries · Next entries »